Talks
Speakers
Events
Topics
Sign in
Home
Talks
Speakers
Events
Topics
Leaderboard
Use
Analytics
Sign in
Suggest modification to this talk
Title
Description
Date
Summarized using AI?
If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.
Show "Summarized using AI" badge on summary page
Summary
Markdown supported
In his talk titled "Devise Pitfalls and Way to Tighten Security," RafaĆ Rothenberger discusses the security issues and limitations associated with the popular authentication library, Device. He begins by acknowledging Device's popularity and how it is often perceived as secure due to its widespread use, but argues that this perception can be misleading. The presentation is organized around several key themes: - **Overview of Device**: Device is a library for user authentication and management, providing essential features like password resets and sessions. Despite its popularity, it has notable pitfalls. - **Limitations of Device**: Rothenberger emphasizes the misuse of libraries, specifically BCrypt, within Device, particularly the problem of password length limitation (72 bytes) and its implications for security. He discusses how improper handling can expose vulnerabilities, including leaking of critical data, such as password 'pepper'. - **Improvement Suggestions**: Rothenberger recommends the use of alternative solutions like Argon for better password hashing capabilities compared to BCrypt. - **Token-Based Authentication**: He notes the need for token-based authentication as mobile applications surge. He advocates for the use of simple opaque tokens over JWTs, highlighting the benefits of storing tokens in secure, HTTP-only cookies, thus mitigating risks associated with leaks. - **Enumeration Attacks**: The discussion includes ways to defend against enumeration attacks, which allow attackers to infer the existence of accounts through user feedback. Strategies include not revealing whether accounts exist through application responses. - **Timing Attacks**: Rothenberger warns about timing attacks that leverage response time discrepancies to determine the validity of information. He suggests offloading checks to background processes to diminish vulnerabilities associated with these attacks. The talk concludes with a call for vigilance in implementing security measures, offering practical advice on improving user privacy and security while using authentication libraries like Device. The audience is encouraged to consider outsourcing user management to services like Auth0, which alleviates some risks, although caution is still required regarding token management. Overall, Rothenberger emphasizes the importance of proactive measures to safeguard user data against evolving threats in application security.
Suggest modifications
Cancel